How to include statutory and regulatory requirements in your QMS

One of the requirements that are embedded within ISO 9001:2015 is the necessity to understand and include statutory and regulatory requirements within the Quality Management System (QMS); however, many people have difficulty with understanding how to do this. To help understand this process, there are three main questions to answer: what are these requirements, what does ISO 9001:2015 require, and how can I best include the requirements?

What are statutory and regulatory requirements?

By definition, “statutory” refers anything relating to a decree or act, and “regulatory” is related to state, national, or international laws and regulations – so, requirements of these sorts come from the legal system. These legal requirements are mandates that you need to follow for your products or services in order for them to be made legally available for sale. An example would be the safety requirements for sports helmets; helmets need to meet a certain level of testing to be considered safe for use, and any company that produces helmets needs to make sure their product meets these mandatory requirements.

What does ISO 9001:2015 mandate for these requirements?

In ISO 9001:2015, statutory and regulatory requirements are mentioned in conjunction with customer requirements. In all cases, your products and services need to meet customer and applicable statutory and regulatory requirements, and ISO 9001:2015 points out where you need to consider this in your QMS. This comes into consideration when understanding the needs of interested parties, understanding all requirements to ensure customer focus is maintained, determining and reviewing the requirements for your products and services, collecting design and development inputs, what control you will have on external providers, and post-delivery activities.


How can you best include these requirements in your QMS?

Of course, before you can include statutory and regulatory requirements in your QMS, you need to identify which are applicable to you, your processes, and your products and services. You need to know what laws and other mandatory requirements you need to meet in order to legally provide your products and services, and ISO 9001:2015 Appendix A.3 is very clear that it is for you to decide if any particular requirement of an interested party is relevant to your QMS. So, you need to have a way to identify the statutory and regulatory requirements that you need to meet, and you then need to ensure that you keep up to date on any changes.

Once you know the requirements you need to meet, you then need to find a way to bring them into your QMS. It does not make sense to try to have a separate method of controlling the activities that your employees need to do to meet statutory and regulatory requirements, so including these requirements in the processes, procedures, and documented information that your employees follow is advisable.

There are basically two main types of statutory and regulatory requirements to consider in your QMS:

ISO9001: Including statutory & regulatory requirements in the QMS

  • Requirements applicable to your products or services: These requirements would include the specifications your products and services need to meet in order to be legally available for sale. This would include such items as safety testing standards (such as the helmet example above) or acceptable or unacceptable materials to use (such as restrictions on the use of asbestos). These requirements should be embedded into your product and service specifications that your employees use in design and production. If there are certain design requirements, such as material choice, these should be included within your design inputs and product specifications. If there are certain tests that are mandated, these should be included in any test instructions you have. You do not want to leave these requirements to chance, with the risk that separate information such as a second test plan was missed due to human error.
  • Requirements applicable to your processes and procedures: These requirements include mandates that need to be incorporated into your business processes and procedures. Some examples would be requirements for employee competence (such as vetting employees for a bonded carrier service) or safety requirements for employees working at heights to perform a process. The requirements need to become part of the way your process works so that employees know what to do when creating your products and services. If there is a documented procedure for performing the process, include these requirements within it; or, if you are controlling your process through adequate training, ensure that these requirements are included in the training. For the example of the competence requirements, these should be included with your other competence requirements for the job, such as a job description. All information for operating a process should be included in one location.

Don’t lose track of your statutory and regulatory requirements

The most important thing to remember about statutory and regulatory requirements is that it is your responsibility to identify them and then ensure that they are maintained and included in your QMS as applicable. By including these requirements within the documentation and practices of your QMS, you can better ensure that these important requirements are met and maintained, so that you can continue to legally provide your products and services by meeting all requirements that are applicable. Incorporating these requirements means that they are not easily forgotten.

For a better understanding of ISO 9001:2015 for statutory and regulatory requirements, check out this free online training: ISO 9001:2015 Foundations Course.

Advisera Mark Hammar
Author
Mark Hammar
Mark Hammar is a Certified Manager of Quality / Organizational Excellence through the American Society for Quality and has been a Quality Professional since 1994. Mark has experience in auditing, improving processes, and writing procedures for Quality, Environmental, and Occupational Health & Safety Management Systems, and is certified as a Lead Auditor for ISO 9001, AS9100, and ISO 14001.